Summary Points

We have developed novel concepts to augment the traditional,
but incomplete access model for private data, employing Security
Mediators, workstations for security officers.
The principal augmentation is that our approach also checks what is being
released, and in doing so, deals with the complexity of complex
information sources, such as a the medical record, with the complex
collaborations encountered in many realistic situations, and with erros
in filing.
Checking access depends on metadata attached to the data. By checking
the actual conntents of the data being released TIHI overcomes
problems doe to inadequate metadata tagging of all data elements with
repect to all possible accessors, a task that cannot be accomplished
in many complex and dynamic situations.
Papers describing
our approach have been given at Medical Informatics and Security
conferences.

We have participated in Privacy protection review for the Social
Security Administration.
Our statement
has been submitted, and will become part of the official record.

A presentation was given in the track
Security
and Science at the 2004 AAAS conference in Seattle, WA.

We have prepared a statement for the
National Academy on healthcare information sharing and privacy.
However, it was not well understood by the editors and misrepresented.

We have supported the initial installation of a security mediator
at Incyte Corporation, to protect retrieval of clone data. This
technology Transfer has been accomplished via Stanford
Secure Technologies (SST).

Brief

The TIHI project addresses the issues that arise when some
information must be shared among collaborating, but distinct
enterprises. Such enterprises cannot fully share their data and
information resources, although some information exchange is
essential. The TIHI model deals then with the protection of shared
information among friends, rather than with the withholding of
information from adversaries. Protection of information interchange
can also be necessary within a single enterprise, when authority and
responsibilities differ significantly.

TIHI also deals with a specific gap which exists in the current model of
authentication, authorization, information access, and presenting the
resulting information to the requestor. In most practical domains
there is no guarantee that the partitioning used for access will match
the partitioning used to organize data for storage and retrieval,
unless a very simple model (say: open, secret, top secret) is used and
rigorously employed. The unique aspect of the TIHI approach is that
it also checks the results.

Examples of enterprises that must collaborate are

Medical records departments with Physicians

Medical records departments with Billing Clerks

Hospitals with Public Health agencies.

Hospitals with Insurance companies

Hospitals with Suppliers and Distributors

Factories with Suppliers, forming Virtual enterprises

Factories with Distributors and Shipping Companies

Military commanders with Shipping companies

Military commanders with Intelligence Resources

Military commanders with Troops in the field

Individuals and institutions in these settings must share information
so they can collaborate. Exchange of information is being enabled by
the rapidly growing communication networks. Such communications are
moving inexorably towards automation, but needs for security when
collaborating are inadequately served. The focus of security research
has been on infrastructure improvements. Communication links are
being secured, authentication of users is being improved, and fences
around protected domains are being erected, so that we can be
protected against actions by enemies.
But little thought is being given on how to protect information
selectively when the accessors we are dealing with are legitimate but
diverse, and their legitimate rights to information overlap.
These access rights then form a complex web, which will not match the
capabilities of the record systems used to enter, store, use, and maintain the
information. Furthermore, preventing an occasional misfiling would
be an enormous burden for the data-processing organization.

In the TIHI project we are developing a tool to encode enterprise
policies, and have its operation managed by a security officer who has
the responsibility and authority to carry out the policies. TIHI deals
with the mismatch of access rights to data organization by checking
the retrieved result after access and before presenting it to the
user. Since automation can never resolve all questions, all instances
where automated rules are inadequate are displayed to the security
officer for manual resolution.

Statement of Work

The work described here will be performed for SRI by Stanford
University to develop and demonstrate techniques for the trusted
interoperation of autonomous heterogeneous health care databases
containing sensitive data that mismatch in semantics, representations,
and security/privacy policies. The work will be built on the query
mediation framework being developed at SRI.

Presentation for ACMI Fellows meeting

Tasks

Task 1: Assist in the development of information-preserving
transformation rules for merging heterogeneous schemas.
Task 2: Assist in the development of a security/privacy policy model.
Review and comment on SRI's work on trusted query mediation.
Task 3: Assist in obtaining sample health care databases or schemas
as testbeds. Participate in the development of the demonstration system.
Assist in testing and evaluating the demonstration system.

Interview patients, hospital, comunity physicians, and public health
officials regarding their expectations for security and privacy.

Place this information into a formal nodel, preferable an inspectable and
modifiable on-line ontology.

Determine and assess existing security mechanisms that can satisfy that
need, specifically for inter-site communication.

Develop technologies where available mechanisms are lacking. We expect
that to be required for the transmission of private patient data for hospital
mangemnent, financial claims, and public health purposes.

Define mediators, to be owned by a security officer, to cover both
categories.

Establish the role of a security officer, equipped with appropriate tools,
in a healthcare environment.

Current efforts are to define the operation and interaction among
collaborating manufacturing units, and construct a platform for
demonstrating the required concepts.
The paltform for SAW utilizes JAVA,

Participants at Stanford

Secure Sharing of Multimedia Medical Information on the Internet

Abstract

We propose to provide image filtering capabilities to complement other
means of checking the contents of documents. An example is information
contained in images that are part of an electronic medical record for
violations of security or privacy.

An increasing amount of information being transmitted over the
Internet is in image form. This trend will certainly affect medical
images (used in diagnosis or research) in the near future. Such
information has not been processed in the past with concern for
security or privacy. Our approach will provide an innovative
capability based on experience with image database and with protecting
the privacy of information in medical databases.

We will extend the facilities we have developed in current
security-oriented projects at Stanford (TIHI, SAW) to provide more
thorough filtering of medical information, including images containing
text. The TIHI effort, supported by NSF's HPPC challenge program, has
now built a prototype of a software tool, called a security mediator,
to enable legitimate external customers to obtain remote electronic
access to medical information residing in a medical institution, while
inhibiting the release of content that cannot be released, even when
the accessors appear to be authorized. The successor project, SAW,
focuses on protecting shared manufacturing data. Image filtering is
becoming relevant in manufacturing domains as well, since more and
more computerized information in manufacturing and business involves
images, but security of contents is not supported within the scope of
most research efforts.

Nearly all approaches to security focus on controlling access.
Unfortunately, controlling access only requires a perfect organization
of the internal data in an enterprise. In many practical cases this
requirement cannot be fulfilled, since it implies a radical
restructuring of all internal information services. The cost of
aligning all internal data to deal with external access privileges is
not only costly from the systems point-of-view, but also for all
internal users of information systems, who now must file all data
according to external requirements that are normally none of their
concern. Storing and securely labeling data in duplicate can solve
the access problem, but not the load on the participants. For
instance, in a hospital, if some X-rays are to be released for
research purposes, then certain identifying marks, used internally to
prevent mis-diagnoses, must be duplicated without such information.
In manufacturing, drawings containing proprietary data, must be edited
if the decision is made to have the parts produced by an external
subcontractor.

Filtering of images in addition to text is becoming essential, since
modern computing has greatly facilitated the use of information in
image form. We believe that this will soon become relevant to
electronic medical information. We have developed novel means of
recognizing features in images, specifically in linking perceptual
factors to parameters in wavelet-based analysis of images.

We have experimented with a number of tools, mostly based on
parameterized wavelets, that can recognize crucial information, such
as text in images, and submit it to the content checking rules our
base TIHI system provides. Initial results are very promising.

In summary, the image filtering that we propose will rely primarily on
wavelet technology. Work has been completed at Stanford that
demonstrates the capability of indexing and retrieving images by
wavelet transform analysis. The wavelet approach has been
demonstrated to be fast and highly reliable. Its formal basis
provides stability in development over more ad-hoc approaches, and has
also been easy to transfer among programming languages. We will
further develop the existing algorithms focusing on the properties
evidenced by text placed within images. We anticipate that secure
transmission of electronic medical information over the Internet will
be a major area of application.

Prior Work

Prior research work was based on the development of
image database search
technology performed for the Stanford University Libraries and
extended as part of project class work
(CS54I).
We expect to cooperate with the medical image processing research (ICBM) at UCLA and
LRI at UCSF.

Summary Points

Specific projects related to security
and privacy include:

Identification of textual markings on X-rays

Recognition of objectionable images (WIPE)

Identification of objectionable (pornographic) web sites (IBCOW)

The technolgy is based on feature extraction using wavelet-based
decomposition, shape moments, and the linking of semantically relevant
perception parameters with the features.